SSL

The traditional approach to securing HTTP operations is by means of SSL. Android
supports SSL, much as ordinary Java does. Most of the time, you can just allow
Android to do its thing with respect to SSL, and you will be fine. However, there
may be times when you have to play a more direct role in SSL communications, to
handle arbitrary SSL-encrypted endpoints, or to help ensure that your app is not
the victim of a man-in-the-middle attack.

This chapter will explore various SSL scenarios and how to address them.

Prerequisites

Understanding this chapter requires that you have read the core chapters
of this book, particularly the chapter on Internet access.

Basic SSL Operation

If you use an https: URL with HttpUrlConnection or WebView,
SSL handshaking will happen automatically, and assuming the certificates check out
OK, you will get your result, just as if you had requested an http: URL.

However, originally, requesting
a download via DownloadManager with an https: scheme would result in
java.lang.IllegalArgumentException: Can only download HTTP URIs. As of Android 4.0,
SSL is supported. Hence, you need to be careful about making SSL requests via
DownloadManager if your minSdkVersion is less than 14.

For example, the Retrofit and Picasso sample apps from
the chapter on Internet access both use
https://api.stackexchange.com for their service endpoint. As a result, those
requests — for the API JSON, at least — will go over SSL. You would need to
log the URLs used for the image avatars to see whether StackExchange gives you https
URLs or not.

Problems in Paradise

The preview of this section will not appear here for a while, due to a time machine mishap.